Posted
by
Soulskill
on Monday March 18, 2013 @01:25PM
from the looked-at-a-poster-and-told-somebody-about-it dept.

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

Even if AT&T has a shitty security system, that doesn't make it legal to break in. I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.

I suppose the prosecutors figured out that Auernheimer managed to lay his hands on over 100,000 email addresses that iPad owners had used to register their devices. So not random email addresses, but email addresses that were in actual use, and with some rather significant personal information attached.

So what exactly do they need to understand about computers beyond that?

The purported target, AT&T, is hardly the nicest organization, but the actually affected people were just regular people. This doesn't seem especially out of line with the USA's normal unhealthy sentencing. We want to punish, not correct, those convicted here.

As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).

As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

He should have been given community service at the most, and then got an award for exposing a flaw from AT&T.

That the defendant did not "break in". He did not circumvent any system or other contrivance designed to secure sensitive information. Those systems and contrivances simply did not exist. The worst that can be said of what he did was that he was irresponsible in sending the clearly sensitive information to someone else. The right thing to do, of course, would have been to contact AT&T. Had he done that, there wouldn't even be a case for restitution, unless maybe it was to compensate the defendant for doing the work that AT&T failed to do.

Their response to the other is "Oh my god, if they can webscrape publicly accessible information, the next thing these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

That. It's a flaw that AT&T never would have addressed without public pressure. Further, Mr. Auernheimer did not release private info to the public -- the news agency to which he released the then already-public information is responsible for further publicizing it.

Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Nearly everything Weev does is malicious, but the question is: is it (or should it be) illegal? He was convicted of identity fraud and "conspiracy to access a computer without authorization". Think about that: requesting unprotected publicly-accessible webpages is "access[ing]" a computer without authorization". By that standard, anyone who uses the internet could be convicted of a crime.

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

Based on the context it was more then just accessing publicly available data. It's not as if he clicked on an link and went "Oh, look, a bunch oh e-mail addresses!". There was effort involved into getting to that list.

That being said, even if he did run into a bunch of e-mail addresses by being in the wrong place at the wrong time.. e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

It's all about who the victim and the perpetrator of the crime is: In the Steubenville case, the victim is a powerless teenage girl, and the perps are a couple of somewhat powerful (at least locally, where the high school football team is a privileged class) teenage boys. In this case, the victim is AT&T (the largest campaign donor in the US), and the perp is a relatively powerless computer geek.

This is just a subset of the more extreme differences: Rob $2000 from a bank, and if you're lucky you won't be shot by the police. Rob $2 billion from a bank, and the SEC or OCC will settle with you for $500 M (25% of your take) and no admission of wrongdoing.

And no, that's not the way it's supposed to work, but it's the way it's actually working.

First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.

Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.

In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.

"But it's just a guy blowing a whistle into a phone, it's not hacking".

These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.

Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.

Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."

They would only be fined 1 days worth of profits...Corporations are people too? Bullshit. Corporations are treated better than people, under the law. I seriously suggest that every individual incorporate themselves and, when accused of any wrongdoing, claim it was via the corporation, and suggest that the law take it up with the board of directors.

Even with all you said, the penalty for these 'computer crimes'....is WAY off base as far as matching punishment with crime.

We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

But he didn't trespass -- he didn't break any laws or even conventions regarding the distinction between public/private property in requesting and being provided this information. If the pile of gold in your unfenced yard was on a conveyor that could be activated from the street, I think you would be hard-pressed to convince anyone that you intended the gold to remain in your yard. Likewise, spewing out customer details in response to a simple sql query to a public-facing DB server, which requires absolutely no circumvention of existing security measures, is difficult to paint as an earnest attempt to make a public/private delineation, and thereby prevent even accidental leakage.

As has already been pointed out, the key charge here is "access[ing] a computer without authorization." Since the publicly-facing DB server was not in any sort of secured or even posted enclave, it can only be presumed that the court finds the mere act of interfacing with this system a crime for no reason other than that AT&T has established the server as "private" after-the-fact. That opens up a terrifying door in that any service provider could suddenly declare you persona non grata retroactively, and bring similar criminal charges against you. While that's certainly a leap, it's not a big one...

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

If those envelopes were in any way a misrepresentation of your legal desire to communicate with your bank (such as an incorrect identity, overstated request, etc) then you, the sender, are guilty of mail fraud. Do not pass go, do not collect $200. The legal system seems to be pretty mysterious to a large part of slashdot...

There was precisely zero reverse engineering required for anyone with an IQ above room temperature, and the "trial and error" amounted to nothing more than trying one address after another with point-and-click port scanners.

For the old fogies: he dialed every phone number assigned to your local bank until he found the desk of a moron who would answer every question posed without asking for either authorization or identification, even if it included personally identifiable information for the bank's customers.

While the activity is dubious and the perpetrator is obviously a Bad Man (TM), there is nothing illegal about calling and asking for information. Providing said information, on the other hand, violates innumerable consumer protection laws and PII handling regulations applicable to various industries. The fact that the "hacker" in this instance is facing jail time while the "victim", AT&T, suffers not even a slap on the wrist, is the ultimate perversion of justice. Anyone who needs more proof regarding who and what actually runs this country simply isn't paying attention.

Indeed, but I guess it wouldn't make a difference if he just showed how to do it, instead of actively forwarding the addresses.

But what bothers me is not that he's being punished, but the severity of the punishment. 41 months in jail? Please, remind me how many months in jail did the Santander employees responsible for money laundering for terrorists get... oh, wait, I remembered, they didn't even get prosecuted, because rich people can screw everybody freely.

. . . say I left a pile of gold in the street, I can't have any expectation it'll be there tomorrow, the streets not mine, but say I left it in my yard, and it's unfenced, to get it, you have to trespass + it's on my property. That's what this guy did, he trespassed and took it . . .

No, he didn't trespass. The owner had a clear understanding with the public that they were allowed in the yard. The man saw a pile of gold in the yard and asked the local robot - which the owner had configured to hand out various piles of sand, peanuts, dirt, grass clippings and other things in the yard. The local robot obliged and the requestor found it uncomfortable that something so significant had been handed out without question.

What if one of those email addresses is an old lady that gets scammed by a nigerian prince? What if it's 100 of those emails that that happens to?

If it's that serious then we need to find AT&T criminally negligent for letting absolutely anyone get all those private email address. If it's not that serious after all, then there's no point in railroading the guy who reported the problem, but we can't have it both ways.